New plan pushes toward multi-factor authentication
The Obama Administration has attempted to make strides when it comes to cybersecurity and digital identity. The latest is the Cybersecurity National Action Plan, which urges short-term actions to improve cybersecurity, protect privacy, maintain public safety and empower Americans to take better control of their digital security.
Obama’s cybersecurity and digital identity efforts are numerous. It started in 2010 with the National Strategy for Trusted Identities in Cyberspace and its many pilots that continue today. That was followed by a 2014 executive order calling for agencies to secure web sites with multi-factor authentication, and then finally a budget bill signed in December mandating federal agencies to deploy a trusted ID platform for citizen access to information.
The new Cybersecurity National Action Plan is multi faceted. It calls for the formation of a new position – the Federal Chief Information Security Officer – to lead these changes across government. The 2017 federal budget allocates more than $19 billion for cybersecurity – an increase of more than 35% over the 2016 enacted level. A separate effort aims to update legacy systems that are difficult to secure with modern technologies.
“I’m encouraged that the administration is directing the bulk of new dollars not at new ‘cyber’ programs, but rather at replacing legacy IT systems in government that are so outdated as to be not securable,” says Jeremy Grant, managing director at the Chertoff Group. “It makes more sense to shift resources away from trying to protect systems first architected in 1978 and toward replacing them with modern systems that can actually be secured.”
It’s well beyond time this received some attention. “You can bolt an airbag onto a ’78 Corvette, but it won’t look pretty and it won’t be very effective – and the same goes for trying to bolt modern protections onto outdated systems,” Grant explains. “This budget starts to shift the discussion – moving away from specific cyber programs that are layered on top of old IT and toward buying IT that bakes security in from the start.”
Specifically called out in the plan is the possibility of enabling consumers to move to multi-factor authentication:
“Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure. This focus on multi-factor authentication will be central to a new National Cybersecurity Awareness Campaign launched by the National Cyber Security Alliance designed to arm consumers with simple and actionable information to protect themselves in an increasingly digital world. The National Cyber Security Alliance will partner with leading technology firms like Google, Facebook, DropBox, and Microsoft to make it easier for millions of users to secure their online accounts, and financial services companies such as MasterCard, Visa, PayPal, and Venmo that are making transactions more secure. In addition, the Federal Government will take steps to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the Federal Government’s adoption and use of effective identity proofing and strong multi-factor authentication methods and a systematic review of where the Federal Government can reduce reliance on Social Security Numbers as an identifier of citizens.”
In conjunction with the White House news, the National Cyber Security Alliance announced the expansion of its education efforts under the umbrella of STOP. THINK. CONNECT. This will support a broader effort to increase public awareness of the individual’s role in cybersecurity.
The NCSA announced a new multi-factor authentication education project with Logical Operations, New Horizons and CompTIA. The organizations are partnering to bring STOP. THINK. CONNECT’s existing tour entitled: “Get Two Steps Ahead: Protect Your Digital Life” tour to 15 or more cities nationwide this year. These in-person sessions deliver cybersecurity information directly to local communities where attendees learn how to turn on multi-factor authentication and why it is an essential online safety tool for every American.
There are still some questions as to how all this will happen. “It’s good on the identity side to see the White House reiterate the need to accelerate adoption of strong multi-factor authentication and identity proofing for citizen-facing federal government digital services, as was called for in the President’s October, 2014 Executive Order,” Grant explains.
GSA is called out to lead this effort, but what’s notable is that the White House says the agency will establish a new cybersecurity program, despite the fact that they’ve already been managing Connect.Gov, Grant says. Connect.Gov is an existing program to enable citizens to use credentials they already have to access federal web sites. The system will also enable citizens to step up their identity if a higher level of assurance is needed.
Is this going to be a new program, or is it going to build off of the investments that have already been made in Connect.Gov? “If there is a new effort, will the GSA be directed to follow the Identity Ecosystem Framework created by the Identity Ecosystem Steering Group? Connect.gov was specifically architected to align with the framework, ensuring that citizen-facing digital services deliver enhanced privacy, security and usability with a solution that is interoperable across all agencies,” Grant says. “Now that version one of the framework is out – crafted through a partnership between the private sector and government – it will be important for the government to lead by example and embrace it.”